Security researchers at Tech Analysis in Australia have reported series of critical firmware vulnerabilities found in Cisco IP phone, that can be exploited by hackers having access to private networks in companies and eventually compromise or hack the phone to listen to others communication or make unauthorized calls.
The affected devices include Cisco’s small business SPA300 and SPA500 Internet Protocol (IP) phones running firmware version 7.5.5. However, later versions of these device may also be affected and can be hacked as well – Cisco Alerted.
Most phones are configured to be accessible from the Internet at many Companies and hence Hacker can easily locate the vulnerable devices by using the popular Shodan search engine.
But to exploit these vulnerabilities, an attacker needs access to trusted, internal networks behind a firewall to be able to send crafted XML requests to the target device. I.e. anyone who has access to your companies internal network, can carry out the attacks using these vulnerabilities.
Latest Cisco IP phone vulnerabilities:
Unauthenticated remote dial vulnerability (CVE-2015-0670)
Affected phones: Cisco Small Business SPA300 and SPA500 Series IP Phones
This Vulnerability actually resides in the default configuration of certain Cisco IP phones is due to “improper authentication”, which allows hackers to remotely eavesdrop on the affected devices by sending specially crafted XML request without needing to authenticate.
Know more: Remote Dial Vulnerability (CVE-2015-0670)
Local code execution vulnerability (CVE-2014-3312)
Affected phones: Cisco Small Business SPA300 and SPA500 Series IP Phones
The vulnerability resides in the debug console interface of the phone. An attacker can access the debug shell and file system of the affected device without authorization and a successful exploit could result in a complete system compromise.
Know more: Code execution vulnerability (CVE-2014-3312)
Cross-site scripting (XSS) vulnerability (CVE-2014-3313)
Affected phones: Cisco Small Business SPA300 and SPA500 Series IP Phones
This vulnerability resides in the web user interface of the Cisco Small Business IP Phones. This vulnerability allows attacker to execute a cross-site scripting (XSS) attack by persuading a user to click a specially crafted URL.
Know more: XSS vulnerability (CVE-2014-3313)
Some security measures recommended by Cisco
Cisco has not patched the vulnerabilities yet and is now working on the issue, However to mitigate the risk they have suggested some security guidelines for Administrators and users:
- Users are advised not to click any suspicious links that cannot be verified as safe.
- Monitor and Enable XML Execution authentication in the configuration settings of affected devices.
- Allow only trusted users to access local systems and trusted systems to access the affected devices.